Criminals are relentless and innovative, and we in the security space need to be the same in our defense. Payment card security today and in the future is a complex challenge, one that cannot be solved by any single technology, standard, mandate, or regulation. Business, standards-setting bodies, policymakers and law enforcement must work together – to protect the financial and privacy interests of consumers.

Congressional hearings this week will discuss the issue of data security breaches and how to empower the business community to be better prepared to prevent breaches like the recent Target and Neiman Marcus incidents.  Leadership at PCI SSC, the Payment Card Industry Security Standards Council, will be participating in these hearings and believe it provides the opportunity to highlight the security best practices that dramatically reduce the chance for successful attacks.

For the past seven years, the council has been working with our global community of industry players to create strong standards for keeping consumer cardholder data safe.  And with the right approach, we will continue to make significant progress across a wide spectrum of the economy to protect consumers from future threats.

Government can and should play a greater role in encouraging stronger law enforcement efforts worldwide and promoting information sharing between the public and private sector.  PCI continues to work in cooperation with government providing expertise, innovation and ideas to NIST, DHS and other government entities. PCI remains ready to provide additional support. We feel strongly however, that the development of standards to protect payment card data and consumers is something the private sector, and PCI specifically, is uniquely qualified to do.  It would be challenging for any government agency to foster the same level of collaboration among stakeholders, or duplicate the expansive global reach, cross-industry expertise, and decisiveness that PCI leverages to create standards for protecting card data globally.

Much of the commentary and public debate about the unfortunate high-profile data breaches at retailers has focused on EMV chip – a technology that has widespread use in Europe and other markets. EMV is an extremely effective method of reducing card fraud in face to face payment environments. That’s why the PCI Security Standards Council supports the deployment of EMV Chip technology. While EMV Chip can help with one part of the problem, there’s no single solution that addresses all security challenges. For example, EMV Chip is not intended to protect the ever growing part of our global economy that conducts business online. EMV Chip along with PCI Standards and other technologies that devalue data provides a multi-layered strategy for defending against criminals that are after card data for fraudulent use.

A multi-layered approach is what’s needed, as evidenced by the complex nature of these recent attacks. PCI provides this approach - we work with a community of over one thousand of the world’s leading businesses to create a series of standards that cover data security, point of sale devices and more. And as security constantly evolves and new threats emerge regularly, we’re always monitoring vulnerabilities and breaches and modifying our standards as necessary.

PCI Standards are a strong framework for improving card data protection globally.  Though you do not hear about the countless attacks that have been thwarted by PCI Standards, their value is evidenced by the large number of companies who choose to invest in, contribute to and rely on them in their data protection efforts.  Simply put, the PCI Security Standards Council is an excellent example of effective collaboration to develop  standards that defend against the criminals seeking to steal payment card data. 

The discussion among policy makers must not break down into finger pointing.  With smart collaboration between the public and private sector, we can dramatically improve the chances of staying one step ahead of the bad guys.

Russo is general manager at the PCI Security Standards Council.